Hackers may be able to 'outwit' online banking security devices

Hackers may already able to use malware to outwit the latest generation of online banking security devices, security watchers warn.

An investigation by BBC Click underlines possible shortcomings in the extra security provided by banking authentication devices such as PINSentry from Barclays and SecureKey from HSBC. Using such two-factor authentication devices means that even if hackers trick consumers into handing over their bank login passwords they still won't be able to raid online banking accounts.

But although basic phishing attacks will fail, it might still be possible to hackers to monitor and alter a user's communication with a banking site using malware. Hackers could set up a fake banking website and prompt users attempting to log into their account for both their online login credential and, for example, a PINSentry code, a pseudo-random number that changes every every minute or so. This information would allow cybercrooks to log onto the genuine banking website, posing as a customer, before authorising fraudulent transfers or other payments.

This variant of a classic man-in-the-middle-attack is know in security circles as a man-in-the-browser attack. Isolated incidents of this type of fraud have cropped up over recent years, so the attack isn't new.

Phishers have been having a pop at two-factor authentication devices since at least 2006, if not earlier. Targets over the years have included customers at Citibank and some Nordic banks, among others.

While the tactic is understood in security circles, it is doubtful that many consumers are aware of it, so the BBC Click investigation is welcome in helping to publicise the issue.

The investigation – which does not highlight new instances of fraud or include quotes from victims – makes it clear that the threat is not tied to the technology supplied by any particular bank.

A spokeswoman for Financial Fraud Action told El Reg that the attack scenario illustrated the importance of keeping computer security up to date, as well as taking advantage of any additional security measures their bank might provide.

"Consumers ought to keep using the banking authentication devices," she said, adding that "even if consumers are unlucky enough to become victims of fraud they ought to be able to get reimbursed because the onus is on the bank to prove negligence."

This seems fair enough but it's worth noting that disputes over phantom withdrawals from ATMs are far from unknown. Consumers will probably get reimbursed for fraudulent transfers authorised using two-factor authentication devices but they're likely to have a tougher job in persuading banks that they didn't have anything to do with a transaction than might otherwise be the case.

Wolfgang Kandek, CTO of Qualys, said even though using banking authentication devices wasn't a foolproof way to stay safe while banking online, they are still worth using.

"Banks that offer two-factor authentication devices raise the bar for online security by a large margin. Common malware often found on PCs is not equipped to deal with the additional authentication steps required when using these devices.

"Nevertheless, no protection is complete. Advanced attackers have found ways to circumvent the additional security measures by infecting the user's browser and monitoring and altering the user's communication with the banking site. However, the malware needs to work much harder, because the user needs to be tricked into disclosing additional token codes, and the malware needs to act quickly, before they expire, typically after 60 seconds.

"Keeping your browser up to date will repel these infections at the onset, as attackers typically use well known browser vulnerabilities as their entry method to your PC," he added.

Banks deploying two-factor authentication have reportedly benefited from a substantial drop in fraud levels, we're told, although hard figures on this are hard to come by. Trust in authentication devices shouldn't be undermined by what boils down to a malware attack targeted at an end user's computer.

Hugh Callaghan, a security expert at management consultancy Ernst & Young, said that banks needs to rely on multiple security measures to reduce the possibility of fraud.

"There is no single, easy, solution for the banks to ensure the security of their online banking systems," he said. "A combination of techniques, working to complement each other, is required rather than relying solely on two-factor authentication regardless of how sophisticated this technique seems. Any approach to combating attacks against online banking must include updating and implementing rigorous anti-fraud control design processes, monitoring for any out of the ordinary customer transactions and tracking browsing patterns all of which could indicate an attack."

"We are also witnessing the emergence of newer techniques which require further development to be effective. For example, the use of full transaction data signing that requires users to input data to the token that they know is directly linked to the payment; this is usually a beneficiary account number. Unfortunately this can also be attacked, for example it can be dressed up as a 'security test' by misleading pop-ups in the browser," Callaghan added. ®